From 474e1393e04abf42605df794ac79de2dd668f5e6 Mon Sep 17 00:00:00 2001
From: Ludovic Rousseau <ludovic.rousseau@free.fr>
Date: Sat, 18 Jan 2025 16:55:30 +0100
Subject: [PATCH] Hardening systemd pcscd.service file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

The exposure level was:
$ systemd-analyze security pcscd.service
[...]
→ Overall exposure level for pcscd.service: 9.6 UNSAFE 😨

And we now have:
$ systemd-analyze security pcscd.service
[...]
→ Overall exposure level for pcscd.service: 2.1 OK 🙂

Thanks to David Fields for the initial patch
"systemd service hardening for pcscd"
https://github.com/LudovicRousseau/PCSC/issues/207
---
 etc/pcscd.service.in | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/etc/pcscd.service.in b/etc/pcscd.service.in
index 65ad6a69..71d3c729 100644
--- a/etc/pcscd.service.in
+++ b/etc/pcscd.service.in
@@ -8,5 +8,39 @@ ExecStart=@sbindir_exp@/pcscd --foreground --auto-exit $PCSCD_ARGS
 ExecReload=@sbindir_exp@/pcscd --hotplug
 EnvironmentFile=-@sysconfdir@/default/pcscd
 
+# Paths
+ProtectProc=invisible
+
+# Capabilities
+CapabilityBoundingSet=
+
+# Security
+NoNewPrivileges=yes
+
+# Process Properties
+UMask=0077
+
+# Sandboxing
+ProtectSystem=strict
+ProtectHome=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+# System Call Filtering
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+SystemCallArchitectures=native
+
 [Install]
 Also=pcscd.socket